258,000 Wisconsin Residents Notified of Adams County Government Data Breach

More than 258,000 people have had their personal health information, personal identification information and/or tax information exposed as a result of a data security incident in Adams County, Wisconsin.

A potential security breach was detected on March 28, 2018 after questionable activity was identified on the Adams County computer system and network. An investigation was launched to determine whether any sensitive data had been accessed and on June 29, a data breach was confirmed to have occurred.

Some evidence has been found that suggests PHI and PII has been accessed and potentially obtained by an unauthorized individual. 258,102 individuals have potentially been affected.

The exposed data was collected between January 1, 2013 and March 28, 2018 and were stored on the systems used by the departments of Health and Human Services, Child Support, Veteran Service Office, Extension Office, Adams County Employees, Solid Waste, and the Sheriff’s Office.

A criminal investigation has been launched into the breach and the suspect(s) have been prevented from accessing the entire Adams County network and accounts have been suspended pending a thorough investigation.

According to TV station WAOW, the prime suspect appears to be Adams County Clerk, Cindy Phillippi. Attempts are currently being made to have Phillippi removed from office.

A Verified Statement of Charges has been filed against Phillippi who is suspected of installing a keylogger on the network – a form of malware that logs all keystrokes entered on computers to capture passwords and other sensitive information. The keylogger was installed on almost all computers owned by the county.

Phillippi has been accused of the unauthorized accessing of confidential computer records, opening unauthorized checking accounts, deleting records, accessing the Health and Human Services building without authorization, disclosing confidential information to a former employee, and misleading an investigation into her actions. Phillippi’s laptop has been seized and is being forensically examined. Phillippi has not yet been charged with any crimes.

Phillippi has denied most of the allegations and claims she asked to be given access to confidential records to investigate a suspected case of pornography access by a department head. She also claimed that she did not login to the system and that other individuals had used her computer. The case is due to be heard by the Board of Supervisors on September 19.

Steps have already been taken to improve security and prevent any further breaches. The county has consulted with several different entities to identify possible vulnerabilities, security upgrades have been performed, and the County is working on enhancing its monitoring capabilities.

The County is currently investigating a long-term solution to improve security, although in the meantime software control mechanisms that had been manipulated have been disabled and administrative controls for system and data access have now been placed in the control of one individual.

Notifications will be sent to all individuals whose PHI, PII, or tax information was exposed in due course.

About HIPAA Journal

HIPAA Journal provides the most comprehensive coverage of HIPAA news anywhere online, in addition to independent advice about HIPAA compliance and the best practices to adopt to avoid data breaches, HIPAA violations and regulatory fines. HIPAA Journal's goal is to assist HIPAA-covered entities achieve and maintain compliance with state and federal regulations governing the use, storage and disclosure of PHI and PII.